Tokenization and prevention of online card fraud
21st Oct, 2022
The Reserve Bank of India (RBI) has mandated the tokenization of credit/debit cards for online merchants from October 1st, 2022.
What is tokenization?
- Tokenization refers to the process of replacement of actual card details with a unique alternate code known as the 'token', which shall be unique for a combination of card, token requestor, and identified device.
- A tokenized card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
- Customers who do not have the tokenization facility, will have to key in their name, 16-digit card number, expiry date, and CVV each time they order something online.
- As of now, about 19.5 crore tokens have been created. Opting for Card-on-File Tokenization (CoFT) services,(creating tokens) is voluntary for cardholders.
- Reserve Bank of India (RBI) has permitted authorized card payment networks to offer card tokenization services to consumers requesting it, in an effort to improve the safety and security of card transactions.
What is the new guidelines say on functioning Of Online Transactions?
- From 1st October 2022, merchants will not be allowed to store your card numbers, CVV, and expiry date for processing online transactions unless the card number is tokenized.
- Any existing details that were saved by merchants will be deleted.
What is Card-on-File (CoF)?
- A CoF transaction is a transaction where a cardholder has authorized a merchant to store the cardholder’s Mastercard or Visa payment details.
- The cardholder then authorizes that same merchant to bill the cardholder’s stored Mastercard or Visa account.
- E-commerce companies and airlines and supermarket chains normally store card details.
Why is the Tokenization of Cards Required?
- Risk of misuse:Many entities involved in an online card transaction chain store card data like card number and expiry date Card-on-File (CoF) for undertaking transactions in the future.
- While this practice does render convenience, the availability of card details with multiple entities increases the risk of card data being stolen or misused.
- Within India as well, social engineering techniques can be employed to perpetrate fraud using such data.
What are the benefits of tokenization?
- Less sharing of Personal Data
- Ensure Safe transactions
- Tokenization reduces risk from data breaches: Tokenization helps protect a business from the negative financial impacts of data theft. Even in the case of a breach, valuable personal data simply isn't there to steal.
- Tokenization means less red tape for businesses: Businesses that accept credit and debit cards need to be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Tokenization makes achieving and maintaining compliance with industry regulations significantly easier.
What are the cases (instances/scenarios) for which tokenization have been allowed?
- Tokenization has been allowed through mobile phones and/or tablets for all use cases/channels (e.g., contactless card transactions, payments through QR codes, apps, etc.)